svn rev #23417: branches/fast-negotiate/src/ include/krb5/ lib/krb5/krb/
hartmans@MIT.EDU
hartmans at MIT.EDU
Wed Dec 2 11:16:35 EST 2009
http://src.mit.edu/fisheye/changelog/krb5/?cs=23417
Commit By: hartmans
Log Message:
If FAST is available and an armor ticket is supplied, use it; otherwise do not unless KRB5_FAST_REQUIRED is set.
* KRB5_FAST_REQUIRED: new FAST flag
* krb5int_fast_as_armor: examine negotiation state
As a result of this change cross-realm armor tickets will generally
not be used unless KRB5_FAST_REQUIRED is set in the gic_options.
Changed Files:
U branches/fast-negotiate/src/include/krb5/krb5.hin
U branches/fast-negotiate/src/lib/krb5/krb/fast.c
Modified: branches/fast-negotiate/src/include/krb5/krb5.hin
===================================================================
--- branches/fast-negotiate/src/include/krb5/krb5.hin 2009-12-02 16:16:32 UTC (rev 23416)
+++ branches/fast-negotiate/src/include/krb5/krb5.hin 2009-12-02 16:16:35 UTC (rev 23417)
@@ -2301,6 +2301,9 @@
krb5_get_init_creds_opt_get_fast_flags
(krb5_context context, krb5_get_init_creds_opt *opt, krb5_flags *out_flags);
+/* Fast flags*/
+#define KRB5_FAST_REQUIRED 1l<<0 /*!< Require KDC to support FAST*/
+
krb5_error_code KRB5_CALLCONV
krb5_get_init_creds_password(krb5_context context, krb5_creds *creds,
krb5_principal client, char *password,
Modified: branches/fast-negotiate/src/lib/krb5/krb/fast.c
===================================================================
--- branches/fast-negotiate/src/lib/krb5/krb/fast.c 2009-12-02 16:16:32 UTC (rev 23416)
+++ branches/fast-negotiate/src/lib/krb5/krb/fast.c 2009-12-02 16:16:35 UTC (rev 23417)
@@ -56,7 +56,7 @@
static krb5_error_code
fast_armor_ap_request(krb5_context context,
struct krb5int_fast_request_state *state,
- krb5_ccache ccache, krb5_data *target_realm)
+ krb5_ccache ccache, krb5_principal target_principal)
{
krb5_error_code retval = 0;
krb5_creds creds, *out_creds = NULL;
@@ -66,9 +66,8 @@
krb5_keyblock *subkey = NULL, *armor_key = NULL;
encoded_authenticator.data = NULL;
memset(&creds, 0, sizeof(creds));
- retval = krb5_tgtname(context, target_realm, target_realm, &creds.server);
- if (retval ==0)
- retval = krb5_cc_get_principal(context, ccache, &creds.client);
+ creds.server = target_principal;
+ retval = krb5_cc_get_principal(context, ccache, &creds.client);
if (retval == 0)
retval = krb5_get_credentials(context, 0, ccache, &creds, &out_creds);
if (retval == 0)
@@ -98,6 +97,8 @@
krb5_free_keyblock(context, subkey);
if (out_creds)
krb5_free_creds(context, out_creds);
+ /*target_principal is owned by caller*/
+ creds.server = NULL;
krb5_free_cred_contents(context, &creds);
if (encoded_authenticator.data)
krb5_free_data_contents(context, &encoded_authenticator);
@@ -138,13 +139,29 @@
{
krb5_error_code retval = 0;
krb5_ccache ccache = NULL;
+ krb5_principal target_principal = NULL;
+ krb5_data *target_realm;
krb5_clear_error_message(context);
+ target_realm = krb5_princ_realm(context, request->server);
if (opte->opt_private->fast_ccache_name) {
retval = krb5_cc_resolve(context, opte->opt_private->fast_ccache_name,
&ccache);
- if (retval==0)
+ if (retval == 0)
+ retval = krb5_tgtname(context, target_realm, target_realm, &target_principal);
+ if (retval == 0) {
+ krb5_data config_data;
+ config_data.data = NULL;
+ retval = krb5_cc_get_config(context, ccache,
+ target_principal, KRB5_CCCONF_FAST_AVAIL,
+ &config_data);
+ if ((retval == 0) && config_data.data )
+ opte->opt_private->fast_flags |= KRB5_FAST_REQUIRED;
+ krb5_free_data_contents(context, &config_data);
+ retval = 0;
+ }
+ if (retval==0 && (opte->opt_private->fast_flags &KRB5_FAST_REQUIRED))
retval = fast_armor_ap_request(context, state, ccache,
- krb5_princ_realm(context, request->server));
+target_principal);
if (retval != 0) {
const char * errmsg;
errmsg = krb5_get_error_message(context, retval);
@@ -156,6 +173,8 @@
}
if (ccache)
krb5_cc_close(context, ccache);
+ if (target_principal)
+ krb5_free_principal(context, target_principal);
return retval;
}
More information about the cvs-krb5
mailing list